diff options
Diffstat (limited to 'plugin')
| -rw-r--r-- | plugin/eurephia.c | 17 | ||||
| -rw-r--r-- | plugin/firewall/eurephiafw.c | 9 |
2 files changed, 25 insertions, 1 deletions
diff --git a/plugin/eurephia.c b/plugin/eurephia.c index f86b6cb..544e0ec 100644 --- a/plugin/eurephia.c +++ b/plugin/eurephia.c @@ -32,9 +32,11 @@ #include <stdio.h> #include <stdlib.h> #include <stdarg.h> +#include <sys/mman.h> #include <string.h> #include <getopt.h> #include <assert.h> +#include <errno.h> #define EUREPHIA_FWINTF /**< Include the proper eurephiaFWINTF declaration in eurephiaCTX */ #include <eurephiafw_struct.h> @@ -126,6 +128,10 @@ eurephiaCTX *eurephiaInit(const char **argv) // Prepare a context area for eurephia-auth ctx = (eurephiaCTX *) malloc_nullsafe(NULL, sizeof(eurephiaCTX)+2); assert( ctx != NULL ); + if( mlock(ctx, sizeof(eurephiaCTX)+2) < 0 ) { + eurephia_log(ctx, LOG_CRITICAL, 0, "Could not mlock() eurephia context: %s", + strerror(errno)); + }; ctx->context_type = ECTX_PLUGIN_AUTH; // Open a log file @@ -161,6 +167,10 @@ eurephiaCTX *eurephiaInit(const char **argv) // Get data for server_salt - which will be used for the password cache ctx->server_salt = (char *) malloc_nullsafe(ctx, SIZE_PWDCACHE_SALT+2); assert( ctx->server_salt != NULL ); + if( mlock(ctx->server_salt, SIZE_PWDCACHE_SALT+2) < 0 ) { + eurephia_log(ctx, LOG_CRITICAL, 0, "Could not mlock() eurephia server salt: %s", + strerror(errno)); + } if( !eurephia_randstring(ctx, ctx->server_salt, SIZE_PWDCACHE_SALT) ) { eurephia_log(ctx, LOG_PANIC, 0 , @@ -224,7 +234,9 @@ int eurephiaShutdown(eurephiaCTX *ctx) eurephia_log_close(ctx); memset(ctx->server_salt, 0xff, SIZE_PWDCACHE_SALT+2); + munlock(ctx->server_salt, SIZE_PWDCACHE_SALT+2); free_nullsafe(ctx, ctx->server_salt); + munlock(ctx, sizeof(eurephiaCTX)+2); free_nullsafe(ctx, ctx); return 1; } @@ -375,8 +387,11 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) // Do username/password/certificate authentication passwd = GETENV_PASSWORD(ctx, env); + mlock(passwd, strlen_nullsafe(passwd)); if( (passwd == NULL) || (strlen_nullsafe(passwd) == 0) ) { eurephia_log(ctx, LOG_WARNING, 0, "eurephia-auth: No password received. Action aborted"); + memset(passwd, 0, strlen_nullsafe(passwd)); + munlock(passwd, strlen_nullsafe(passwd)); free_nullsafe(ctx, passwd); free_nullsafe(ctx, tls_id); free_nullsafe(ctx, username); @@ -435,6 +450,8 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) } exit: + memset(passwd, 0, strlen_nullsafe(passwd)); + munlock(passwd, strlen_nullsafe(passwd)); eDBfree_session(ctx, authsess); free_nullsafe(ctx, remport); free_nullsafe(ctx, cname); diff --git a/plugin/firewall/eurephiafw.c b/plugin/firewall/eurephiafw.c index deec3db..471e6e8 100644 --- a/plugin/firewall/eurephiafw.c +++ b/plugin/firewall/eurephiafw.c @@ -145,6 +145,10 @@ void eFW_StartFirewall(eurephiaCTX *ctx) { // Create a fake eurephia context, just for logging shadowctx = (eurephiaCTX *) malloc_nullsafe(ctx, sizeof(eurephiaCTX)+2); assert( shadowctx != NULL ); + if( mlock(shadowctx, sizeof(eurephiaCTX)+2) < 0 ) { + eurephia_log(ctx, LOG_CRITICAL, 0, "Could not mlock() firewall context: %s", + strerror(errno)); + }; shadowctx->context_type = ECTX_NO_PRIVILEGES; shadowctx->log = ctx->log; (*ctx->fwcfg).thrdata.ctx = shadowctx; @@ -214,6 +218,7 @@ void eFW_StartFirewall(eurephiaCTX *ctx) { } switch( ctx->fwcfg->fwproc_pid ) { case 0: // Child process + eDBdisconnect(ctx); eFW_RunFirewall(&(*ctx->fwcfg).thrdata); exit(-1); // If our child process exits abnormally. @@ -252,7 +257,7 @@ void eFW_StartFirewall(eurephiaCTX *ctx) { sem_wait(ctx->fwcfg->thrdata.semp_worker); eurephia_log(ctx, LOG_INFO, 2, "eFW interface initialised."); - // Initialise the chain + // Initialise the chain memset(&buf, 0, 1026); snprintf(buf, 1024, "I %s", fwdest); if( mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1) == -1 ) { @@ -348,6 +353,8 @@ void eFW_StopFirewall(eurephiaCTX *ctx) { sem_post(ctx->fwcfg->thrdata.semp_master); // Clean up and exit + munlock(ctx->fwcfg->thrdata.ctx, sizeof(eurephiaCTX)+2); + free_nullsafe(ctx, ctx->fwcfg->thrdata.ctx); free_nullsafe(ctx, ctx->fwcfg->fwblacklist_sendto); eFree_values(ctx, ctx->fwcfg->blacklisted); free_nullsafe(ctx, (*ctx->fwcfg).thrdata.fw_command); |